How do you test modern web auth flows for logic flaws?

Assess OAuth2/OIDC, SSO, and JWT across SPAs/APIs for logic bugs, replay, and session mismanagement.
Design a test plan for OAuth2/OIDC/SSO that detects token misuse, replay, and session flaws in SPAs and APIs.

Penetration Tester (Web)

How do you design post-engagement validation and continuous security?
How do you test client-side controls and supply-chain risks?
How do you test modern web auth flows for logic flaws?
How do you validate chained web exploits (SSRF → internal API → auth bypass)?
How do you structure a full-scope web penetration test?

answer

I map the authentication model (AS/IdP, client, resource, browser/app) and enumerate flows (Auth Code + PKCE, OIDC, device code, refresh). I test state/nonce/PKCE handling, scope/audience checks, consent and redirect validation, and JWT signature/claims (iss/aud/exp/iat/nbf/kid). I probe refresh rotation, logout/session lifecycles, token storage in SPAs, and replay resistance. Network tests verify TLS, cookie flags, and CSRF. Findings feed risk-ranked fixes and compensating controls.

Long Answer

Modern web authentication spans OAuth2/OIDC, enterprise SSO, and JWT-based sessions consumed by SPAs and APIs. A robust penetration test focuses less on “breaking crypto” and more on logic correctness, token lifecycle, and session governance under real user and adversarial paths.

1) Threat model & system mapping

I begin by diagramming actors and trust boundaries: Authorization Server/IdP, clients (SPA/native/server), Resource Servers/APIs, and user agents. I list enabled flows (Authorization Code + PKCE, Implicit if legacy, Device Code, Client Credentials, Hybrid) and note redirect URIs, first-party vs public clients, cookie/session strategy, and where tokens are stored (memory, localStorage, cookies).

2) Flow correctness (Authorization Code with PKCE)

For the interactive flow, I verify PKCE enforcement on public clients, unpredictable code_verifier lengths, and that the server rejects wrong code_challenge methods. I test state integrity (no reuse, reflected back, tied to session) and nonce on OIDC (unique per request, checked in ID token). I validate redirect URIs: exact allow-list, no wildcards or open redirects, and no mixing http/https origins.

3) Token issuance & claims

I fetch ID/Access/Refresh tokens through legitimate and edge paths, then validate:

  • Signatures: accepted algorithms (no alg=none, enforce RS256/ES256 as configured), correct kid rotation handling.
  • Claims: iss, aud, sub, azp, exp, iat, nbf, auth_time, amr, nonce. Access tokens must be audience-scoped to the API; ID tokens never used for API authorization.
  • Scopes: least privilege, consent boundaries, and absence of unexpected default scopes.

4) API authorization & audience separation

I call APIs with swapped tokens: ID token to API, access token for a different aud, expired tokens, or tokens from another tenant. I confirm resource indicators are enforced and that the API checks aud/scp (or roles) server-side, not just presence of a token.

5) Token replay, fixation, and rotation

I record and replay tokens across devices, IPs, and times. For refresh tokens, I verify rotation (one-time use), revocation on reuse, and binding to client or session. Where supported, I assess DPoP/MTLS or token binding to limit replay. I check if auth codes are single-use and short-lived.

6) SPA storage & CSRF/Clickjacking defenses

For browser apps, I review token storage strategy. Prefer httpOnly, Secure, SameSite cookies for session tokens; if access tokens must live client-side, store in memory with short TTL. I test CSRF on cookie-based sessions and ensure state/PKCE protects OAuth endpoints. I validate framebusting and CSP to reduce clickjacking on consent or login forms.

7) Session lifecycle & logout

I test idle/absolute timeouts, refresh grace periods, and back-channel/front-channel logout if OIDC is used. I ensure revocation endpoints work and that downstream sessions (API gateways, SPA stores) are cleared on logout. I try session fixation by logging in across windows/tabs or changing identity mid-flow.

8) Non-interactive & SSO paths

For Device Code and Client Credentials, I verify polling limits, code entropy, and audience scoping. In SAML/enterprise SSO bridges, I check assertion signature/conditions, audience, and relay state handling, then re-enter OIDC/OAuth at the RP, ensuring claim translation can’t escalate privileges.

9) Error handling & downgrade resistance

I trigger malformed requests (bad response_type, missing nonce, mismatched redirect) and verify informative yet safe errors. I attempt legacy flow fallbacks (Implicit, password grant) and ensure they’re disabled. I test algorithm downgrades or kid confusion during key rotation.

10) Observability, rate limits, and recovery

I measure latency and throttling on token endpoints, brute-force guards on code/PKCE/verifier, and lockout policies. I review logs for privacy (no tokens in logs), structured audit of consent and revocation, and alerting on refresh reuse.

11) Reporting & remediation

Findings are prioritized by exploitability and blast radius: e.g., ID token used as API bearer (critical), wildcard redirects (critical), missing PKCE (high), refresh rotation absent (high), SameSite lax on sensitive cookies (medium). Remediation includes strict redirect allow-lists, enforced PKCE/nonce/state, audience-checked APIs, secure cookie flags, rotation with reuse detection, and deprecating legacy grants.

This approach surfaces the logic flaws that actually break auth in production, hardens sessions across SPAs/APIs, and aligns with modern controls like PKCE, rotation, and audience scoping.

Table

Area What I Test Good Looks Like Risk if Broken
Flow Controls state, nonce, PKCE Unique, verified, single-use CSRF, code injection
Redirects Allow-list, scheme/host Exact match, no wildcards Open redirect → token leak
Tokens Sig/alg/claims/aud RS/ES algs, strict aud Forgery, confused deputy
API AuthZ Scope/role checks Server-side aud/scp Lateral access, privilege rise
Replay Code/token reuse One-time codes, RT rotation Session hijack
Storage Cookies vs JS httpOnly/SameSite cookies XSS token theft
Logout Back/front-channel Session & token revocation Ghost sessions
Legacy/Downgrade Disabled grants, alg rules No Implicit, no alg=none Bypass controls
SSO Bridge SAML/OIDC mapping Signed, bound assertions Identity confusion
Telemetry Logs & rate limits No tokens in logs, alerts Silent abuse, leakage

Common Mistakes

  • Shipping Authorization Code without PKCE on public clients.
  • Treating ID tokens as API bearer tokens.
  • Weak redirect URI validation (wildcards, http, mixed case).
  • Not validating state/nonce, enabling CSRF and token substitution.
  • Missing audience checks on APIs; any valid token works anywhere.
  • Storing access/refresh tokens in localStorage, enabling XSS theft.
  • No refresh rotation or reuse detection; long-lived RTs.
  • Incomplete logout (client clears UI, tokens remain valid).
  • Accepting weak/none JWT algs or failing kid/keyset rotation checks.
  • Verbose errors that leak internals; no rate limits on token endpoints.

Sample Answers

Junior:
 “I map the OAuth2/OIDC flow, verify PKCE, and check state/nonce. I inspect JWTs for valid signatures and claims, and ensure APIs verify aud/exp. For SPAs, I prefer httpOnly cookies and test CSRF and logout behavior.”

Mid:
 “I test redirect allow-lists, claim validation, and audience scoping. I try replaying codes/tokens, confirm refresh rotation with reuse detection, and ensure ID tokens aren’t accepted by APIs. I review cookie flags (Secure/SameSite) and SPA storage, plus rate limits on token endpoints.”

Senior:
 “I run a full model: flow controls (PKCE/state/nonce), token lifecycle (rotation, revocation), audience isolation, and SSO bridges. I probe downgrade paths, kid/key rotation, and cross-tenant confusion. For SPAs, I require cookie-based sessions or short-lived in-memory access tokens. Findings are risk-ranked with concrete remediations and compensating controls.”

Evaluation Criteria

  • Coverage: Candidate tests flow controls (PKCE, state, nonce), token issuance, API authZ, replay, storage, logout, and downgrade paths.
  • Correctness: Differentiates ID vs Access tokens and validates claims (aud/iss/exp/nonce).
  • SPA posture: Recommends httpOnly cookie sessions or in-memory tokens, avoids localStorage.
  • API rigor: Enforces aud/scope server-side; rejects tokens from other clients/resources.
  • Lifecycle: Checks refresh rotation, revocation, single-use codes.
  • Hygiene: Cookie flags, CSRF, clickjacking, rate limits, and safe error handling.
  • Reporting: Risk-ranked findings with clear fixes.
    Red flags: Uses implicit grant, accepts alg=none, wildcards redirects, stores long-lived tokens in localStorage, or conflates ID/Access tokens.

Preparation Tips

  • Review OAuth 2.1 drafts, OIDC Core, and best practices for SPAs.
  • Practice testing PKCE, state, and nonce handling; try code/RT reuse.
  • Learn JWT validation: signature, header (kid), and core claims.
  • Build checklists for redirect allow-lists, audience scoping, and logout flows.
  • Explore DPoP/MTLS and refresh rotation with reuse detection.
  • Validate cookie Secure/HttpOnly/SameSite and CSRF defenses.
  • Instrument test rigs to replay tokens across origins/devices.
  • Study SSO bridges (SAML↔OIDC) and relay state integrity.
  • Prepare concise remediation guidance mapped to risks and owner teams.

Real-world Context

Retail SPA: APIs accepted any tenant’s access token if exp valid; adding strict aud checks and API scopes halted lateral access.
Fintech SSO: Wildcard redirect allowed open redirect; fixed with exact allow-lists and per-client URIs.
EdTech mobile: No refresh rotation; device theft enabled long-term reuse. Rotation with reuse detection and shorter TTLs closed the gap.
Healthcare portal: ID tokens were used as bearer tokens. Separating ID/Access usage and enforcing audience at the gateway removed the class of bugs.
SaaS suite: localStorage access tokens stolen via XSS; migrated to httpOnly session cookies with SameSite=strict and CSRF tokens, cutting token theft risk.

Key Takeaways

  • Enforce PKCE/state/nonce and exact redirect allow-lists.
  • Validate JWT signatures and claims; separate ID from Access tokens.
  • Scope APIs by audience/scope and reject cross-resource tokens.
  • Use refresh rotation with reuse detection; revoke on anomaly.
  • Favor httpOnly cookies or in-memory tokens for SPAs; never store secrets in localStorage.

Practice Exercise

Scenario:
 A multi-tenant SPA uses OIDC (Auth Code + PKCE) with an API gateway. Users authenticate via enterprise SSO (some SAML → OIDC bridges). SPAs store an access token in memory and a refresh token is issued. Recent incidents suggest token replay and cross-tenant access.

Tasks:

  1. Map flows: Document login, consent, token issuance, refresh, logout, and SSO bridging. Identify clients, redirect URIs, and token stores.
  2. Flow controls: Prove PKCE is enforced; fuzz state/nonce reuse and mismatches.
  3. Redirects: Attempt wildcards/open redirects; verify strict allow-lists and scheme/host matching.
  4. Token tests: Validate JWT alg/signature; inspect aud/iss/azp/exp/nbf. Try using ID tokens at APIs; attempt cross-tenant access with foreign aud.
  5. Replay: Reuse auth codes and refresh tokens; confirm single-use codes and refresh rotation with reuse detection/invalidations.
  6. API authZ: Send valid tokens to wrong resource; verify audience/scope rejection.
  7. Storage & CSRF: Review cookie flags, SameSite, and CSRF defenses for any cookie-based sessions; confirm SPA avoids localStorage for long-lived tokens.
  8. Logout: Validate back-/front-channel logout clears API sessions and blocks refresh.
  9. SSO bridge: For SAML→OIDC, validate assertion signature, audience, conditions, and relay state integrity.

Deliverable:
 A risk-ranked report with proof of findings, concrete remediations (PKCE/state/nonce hardening, audience enforcement, rotation with reuse detection, redirect allow-lists, secure storage), and owners/timelines.

More
Security & Testing
 Roles
Penetration Tester (Web)

Still got questions?

Schedule a Demo

Privacy Preferences

Essential cookies
Required
Marketing cookies
Personalization cookies
Analytics cookies
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.